From issues-return-92382-archive-asf-public=cust-asf.ponee.io@commons.apache.org Mon Sep 21 19:17:02 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mailroute1-lw-us.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id D4179180607 for ; Mon, 21 Sep 2020 21:17:02 +0200 (CEST) Received: from mail.apache.org (localhost [127.0.0.1]) by mailroute1-lw-us.apache.org (ASF Mail Server at mailroute1-lw-us.apache.org) with SMTP id 0D4EA122354 for ; Mon, 21 Sep 2020 19:17:02 +0000 (UTC) Received: (qmail 32804 invoked by uid 500); 21 Sep 2020 19:17:01 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 32792 invoked by uid 99); 21 Sep 2020 19:17:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Sep 2020 19:17:01 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id DCEBC42A0F for ; Mon, 21 Sep 2020 19:17:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 11575780207 for ; Mon, 21 Sep 2020 19:17:00 +0000 (UTC) Date: Mon, 21 Sep 2020 19:17:00 +0000 (UTC) From: "Frank Ch. Eigler (Jira)" To: issues@commons.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/LANG-1607?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D17199= 612#comment-17199612 ]=20 Frank Ch. Eigler commented on LANG-1607: ---------------------------------------- I see, an earlier search for the CVE name came up completely empty.=C2=A0 M= aybe it was a search system problem. Is my impression correct that the code maintainers a refusing to change the= default RNG, and have decided to handle this as a documentation issue only= ?=C2=A0 If so, I guess we can close this with the Jira equivalent of "WONTF= IX", too bad. > To aid with CVE-2019-16303, consider upgrading RandomStringUtils default = RNG > -------------------------------------------------------------------------= --- > > Key: LANG-1607 > URL: https://issues.apache.org/jira/browse/LANG-1607 > Project: Commons Lang > Issue Type: Bug > Reporter: Frank Ch. Eigler > Priority: Major > > In=C2=A0[https://nvd.nist.gov/vuln/detail/CVE-2019-16303]=C2=A0 , the=C2= =A0org.apache.commons.lang3.RandomStringUtils=C2=A0randomAlphanumeric() fun= ction is used to generate random strings.=C2=A0 Because of weaknesses of th= e default RNG, this allows baddies to predict other randomAlphnumeric() res= ults, which in this large family of client programs, results in severe vuln= erabilities. > While the class is not documented to be "cryptographically safe", it woul= d be prudent to upgrade the default RNG used in these classes to be crypto-= usable level, such as with the java.security.SecureRandom nextBytes(). > See e.g. this github PR, which is being replicated THOUSANDS of times, in= order to work around this problem in countless users of this library.=C2= =A0 [https://github.com/elderdb/neptune/pull/1]=C2=A0 -- This message was sent by Atlassian Jira (v8.3.4#803005)